Vytivo Privacy Policy

Last Updated: September 21, 2025

This Privacy Policy explains how Vytivo Inc. ("Vytivo," "we," "us," or "our") collects, uses, discloses, and protects information about you when you use the Vytivo application and related personal health record services (the "Services"). "You" means the individual end user who accesses the Services, whether under the Vytivo brand or a white-labeled version provided by your health plan, provider, or another enterprise customer (a "Customer").

If the Services are provided to you under a contract between Vytivo and a Customer, that contract controls how we handle information for that Customer's members or patients. When a Customer is a HIPAA covered entity or business associate, and we process protected health information under a Business Associate Agreement, HIPAA and our Business Associate Agreement govern. This Policy applies where we act outside HIPAA or where this Policy provides additional transparency.

If you do not agree with this Policy, do not use the Services.

1) What we collect

1.1 Information you provide.

Account details. Name, contact information, account preferences, and settings.
Health records and content you upload or connect.Diagnoses, medications, problems, allergies, labs, claims, clinical notes, imaging reports, genomics data you choose to connect, device and wearable data you connect, and files you upload.
Communications. Messages to support and responses to surveys or feedback forms.

1.2 Information from connected sources you direct.

Providers, payers, labs, and device partnersvia APIs such as FHIR and SMART on FHIR.
Provider or payer portals if you direct us to use your credentials. We prioritize API connections and may disable credentialed access at any time.
Programs operated by a Customer,including care management and quality programs.

1.3 Device and technical information.

Device identifiers, app version, operating system,IP address, and basic event logs.
Limited analytics to operate and improve the Services. We do not use third-party ad pixels in authenticated areas and we do not share your health-related identifiers with advertising platforms.

1.4 Sensitive categories.

Health information that may include information about conditions, treatments, and biomarkers.
Genetic information if you choose to connect genomics.
Precise location only if you grant permission in your device or browser for a feature that needs it. We do not use geofencing around health care locations for advertising.

We do not knowingly collect information from children under 13. Limited use by a parent or legal guardian for a minor may be permitted where allowed by law and by the applicable Customer. We honor adolescent confidentiality rights required by state law.

2) How we use information

Provide and operate the Services you request, including data ingestion, normalization, longitudinal record construction, context-aware Q&A, clinician pre-reads, personalized action plans, notifications, and device integrations.
Maintain safety, security, fraud prevention, and system integrity.
Troubleshoot, support, and improve reliability and usability.
Meet legal, regulatory, and audit obligations.
With your consent, send marketing emails or texts. Marketing texts require express written consent. Reply STOP to end and HELP for help. Message and data rates may apply.

2.1 AI features and model improvement. We do not use your identifiable health information to train generalized AI models, to train models that are not dedicated to operating the Services for you and our Customers, or for advertising.

We may create and use de-identified or aggregate data for product improvement, measurement, research, or statistics. When we do so, we will apply a documented de-identification process consistent with applicable law, maintain safeguards to prevent reidentification, publicly commit not to reidentify, and require recipients to do the same.

2.2 Automated processing. Our models help summarize records, answer questions against your record, and generate clinician-ready reports. They do not make decisions that have legal or similarly significant effects about you without human involvement from your plan or provider. Where state law grants rights to opt out of certain automated processing, we will honor those rights as applicable.

3) How we share information

With your direction or a Customer's direction.For example, when you connect a provider, payer, lab, or device, or when your plan or provider uses Vytivo outputs for your care.
With service providers and subprocessors. Cloud hosting, logging, analytics, communications, and customer support, bound by written contracts that limit use to our instructions and require security safeguards.
For safety, security, and legal reasons. To protect you and others, to prevent fraud or abuse, or to comply with law or valid legal process.
Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred subject to this Policy. The successor must honor this Policy for existing users until we notify you of changes or your Customer directs otherwise.
De-identified or aggregate data. We may disclose de-identified or aggregate data that does not identify you. We commit not to reidentify and require recipients to make the same commitment.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising.

4) Your choices and rights

4.1 Access, corrections, export, and deletion.

You can view and download your information in your account or by contacting us.
You can request corrections. We may direct you to the source system when appropriate.
You can request deletion. We will delete or de-identify your information unless retention is required by law, our contract with a Customer, dispute resolution, or security and fraud prevention. Deletion from backups occurs on a schedule.
You can request a portable copy in a common format such as FHIR JSON, CSV, or PDF.

4.2 Communications choices. Operational emails or texts related to your account or care program may continue even if you opt out of marketing. Marketing texts require express written consent. You can opt out at any time by replying STOP.

4.3 State privacy rights. Depending on where you live, you may have rights to know, access, correct, delete, opt out of sale or sharing, opt out of targeted advertising, opt out of certain profiling, and appeal a decision. Submit a request to[email protected]. We will verify your identity and respond within the time required by law, usually 45 days. You may use an authorized agent where permitted. If we deny your request, you may appeal by replying to our decision with "Appeal." If you are not satisfied, you may contact your state attorney general.

4.4 California privacy disclosures. We act as a "service provider" to most Customers under the California Consumer Privacy Act. In that role we process personal information only on the Customer's instructions. Direct your requests to your plan or provider.

In any limited context where Vytivo acts as a "business," we honor CPRA rights. We do not sell or share personal information. We do not use or disclose sensitive personal information to infer characteristics. We honor Global Privacy Control signals in contexts where sale or sharing would otherwise occur.

4.5 Washington and Nevada consumer health data. Where state consumer health data laws apply, we obtain required consents, provide required rights including access and deletion, prohibit geofencing around health care facilities for advertising, and enter into required data processing and sharing agreements.

5) Special topics

5.1 Genomic information. If you choose to connect genomics, we will request any required consents and will delete the data on request unless retention is required by law or by a Customer's program rules.

5.2 Credentials for portals. If you direct us to access a provider or payer portal using credentials you provide, you represent that you are permitted to do so. We may disable credential-based access at any time and will not circumvent technical measures. We recommend API connections when available.

5.3 Cookies and similar technologies. We use only what we need to run the Service, understand performance, and secure the platform. We do not allow third-party advertising cookies in authenticated areas. You can control cookies through your browser settings. Blocking some cookies may limit functionality.

5.4 SMS and email security. Text and email are not fully secure channels. Do not include sensitive information in replies. You can opt out of marketing messages at any time.

6) Data retention

We keep information only as long as needed to provide the Services, to meet legal and contractual obligations, to resolve disputes, and to maintain security. We apply different retention periods by data type. For example, account metadata is typically retained for the life of the account plus a limited period for logs and backups, while event logs have shorter retention. When a Customer's program ends, we follow the Customer's instructions.

7) Security

We use administrative, technical, and physical safeguards designed to protect information, including encryption in transit and at rest, access controls, and logging. No system is perfectly secure. We monitor and improve our safeguards over time.

If we act as a personal health record vendor outside HIPAA and there is a breach of security of unsecured PHR identifiable health information, we will provide notices consistent with the FTC's Health Breach Notification Rule. If we act under HIPAA, we will provide breach notifications as required by our Business Associate Agreement and HIPAA.

8) Consumer Health Data Privacy Notice

Categories of consumer health data we collect.Health conditions, diagnoses, medications, problem lists, allergies, procedures, labs and biometrics, device and wearable data, claims and benefits data, care plans, care team notes, genomics if you choose to connect, and limited precise location if you grant permission for a feature that needs it.

Sources. You, your connected providers, payers, labs, devices and apps, and your Customer's programs.

Purposes. Provide and operate the Services you request, including Q&A, summaries, pre-reads, and action plans, maintain safety and security, comply with law, and improve the Services using de-identified or aggregate data only.

Sharing. With your direction or the Customer's direction, with our service providers under contract, for safety and legal compliance, for business transfers, and as de-identified or aggregate data. We do not sell consumer health data. We do not share for targeted advertising. We do not use geofencing around health care facilities for advertising.

Your rights. Access, delete, withdraw consent where applicable, and appeal. Contact[email protected].

How to exercise rights and how we verify. Email[email protected]. We will verify your identity using information associated with your account or by requesting additional details. You may use an authorized agent as allowed by law.

Security practices. Encryption in transit and at rest, access controls, role-based permissions, logging, vendor management, and ongoing monitoring.

9) International use and data transfers

The Services are intended for use in the United States and are operated from the United States. If you access the Services from outside the United States, you do so at your own risk and are responsible for compliance with local laws.

10) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will update the "Last Updated" date at the top and provide notice as required by law. Your continued use of the Services after an update becomes effective means you accept the updated Policy.

11) How to contact us

Privacy requests and questions:[email protected]

Legal notices:[email protected]

Support:[email protected]

Mail: Vytivo Inc., 1007 N Orange St, Suite 3990, Wilmington, DE 19801

Phone: 605-884-6550

12) California disclosures for non-HIPAA contexts

If Vytivo acts as a "business" under the CPRA, the following apply:

Categories collected. Identifiers, contact information, health information including sensitive personal information, device and internet activity, geolocation if you enable it, and inferences about engagement with the app.
Business purposes. Service delivery, security, debugging, internal research, and quality assurance.
Sale or sharing. We do not sell or share personal information.
Sensitive personal information. We do not use or disclose sensitive personal information to infer characteristics.
Retention. We keep information only as long as necessary for the stated purposes.
Your rights. Know, access, correct, delete, port, and opt out of sale or sharing. Submit requests to[email protected].
Non-discrimination. We will not discriminate against you for exercising your privacy rights.

13) Roles and relationships

Customer relationship. In most cases, Vytivo acts as a processor or service provider to a Customer and processes information on that Customer's instructions. The Customer's Notice of Privacy Practices or privacy policy will describe how the Customer handles your information.

Direct relationship. Where you use Vytivo outside a Customer program, we act as a PHR vendor and this Policy applies directly.

14) De-identified data commitment

When we create de-identified data, we will apply a documented de-identification process consistent with applicable law, maintain safeguards to prevent reidentification, publicly commit not to reidentify, and require recipients to do the same. We use de-identified or aggregate data for product improvement and statistics. We do not include identifiable information in training datasets.

Summary of your key controls

You are not billed by Vytivo.
You can connect and disconnect sources at any time.
You can export and delete your data, subject to legal and program requirements.
We do not sell personal information and do not share for targeted ads.
We do not use identifiable health information to train generalized AI models.
We use only de-identified or aggregate data for training and product improvement, with a no reidentification commitment.